DraftKings Inc. (DKNG) has been hit with a lawsuit in California alleging its website secretly collected data from visitors using software linked to multiple third-party data brokers.
The case, filed in the Central District of California, is the latest in a growing wave of litigation targeting companies under California’s Invasion of Privacy Act, known as CIPA.
Plaintiff Dana Hughes alleges that DraftKings operated its website with data broker software from NextRoll, The Trade Desk, and Comscore without visitors’ knowledge or consent.
Hughes claims the software secretly collected data about website visitors, including their devices, locations, page views, and browser characteristics, to identify and track users for marketing and profiling purposes.
The complaint alleges that data reasonably likely to identify Hughes was transmitted to at least three third parties through code running on the DraftKings site during her visit.
The core legal theory centres on California Penal Code section 638.51, which prohibits the use of so-called trap and trace devices without a court order or user consent.
Hughes argues the tracking code captured electronic signals and identifying information from visitors’ devices, meeting the legal threshold for an unlawful trap and trace device under California law.
The plaintiff is seeking class certification, statutory damages under CIPA, punitive damages, restitution, disgorgement, injunctive relief, and attorneys’ fees, among other relief.
The DraftKings complaint specifically targets third-party tags that many businesses treat as standard marketing infrastructure, including retargeting pixels, cookie-based identifiers, browser fingerprinting, and cross-site tracking tools.
The lawsuit signals a broader trend in which plaintiffs are scrutinising routine website advertising and analytics tools through the lens of California’s wiretap and trap-and-trace laws.
Legal experts warn that businesses receiving CIPA demands or complaints should quickly map which third-party scripts run on their sites and what data those scripts collect or transmit to outside vendors.
Companies are also being advised to assess whether their vendors qualify as data brokers or advertising technology providers and to review what consent, disclosure, and vendor controls are currently in place.
The case reinforces the urgency for businesses operating websites with third-party analytics or advertising tools to conduct thorough privacy audits before facing similar litigation.

